[Q1 2015]

akamai.com

IPV 4

exhaustion and

IPV 6

adoption

Available address space in Internet Protocol version 4 (IPV4)

continues to shrink, and will eventually be depleted
The creation of IPV6 provides a massive number of potential
new IP addresses, as well as security, routing and networking
benefits
At the same time, the expanded number of addresses in IPV6
creates new challenges for DDoS attackers and defenders:
Attackers may find it difficult to identify hosts
Defenders may find it difficult to track the large number of unique addresses
that can be generated in an attack

Transitional technologies used to bridge the operation of IPV4

and IPV6 are also vulnerable to abuse by malicious actors

2 / [The State of the Internet] / Security (Q1 2015)

= elements driving

IPV 6

attack vectors

Abuse of transitional technologies to bypass security controls

Use of IPV6 protocol against applications and services that are
IPV6 enabled, bypassing IPV4 security controls
Modification of IPV6 protocol structure, aiming to bypass IPV6
IPS, IDS and firewall technologies
Adaptation of application layer attacks to work over IPV6
Adaptation of exploitation frameworks to work with the IPV6
protocol
Purpose-built denial of service tools and techniques based
solely on the IPV6 protocol architecture

3 / [The State of the Internet] / Security (Q1 2015)

= transition vulnerabilities

The transition from IPV4 to IPV6 creates multiple vulnerabilities:

IPV6 networking that is enabled by default and overlooked by

administrators
Tunneling protocols such as Teredo that may allow IPV6 traffic
to bypass security filtering
Filtering programs that require special configuration to work
with IPV6

4 / [The State of the Internet] / Security (Q1 2015)

= reflection attacks over

IPV 6

PLXsert researchers created a laboratory environment to test

IPV6 vulnerability
In most cases, abuse of IPV4-protected services and systems
was possible using the IPV6 stack
Standard UDP reflection techniques were successful against
both CHARGEN and NTP services over IPV6, due to lack of IPV6
support in the filtering layer

Figure 1: NTP reflection successfully targeted an IPV6 machine in our lab behind a shared router

5 / [The State of the Internet] / Security (Q1 2015)

= spoofing and hijacking

The expansion in IPV6 allows for a substantial

spoofable/hijackable address space to be leveraged by
attackers
A single end-user IP range will typically be a /64, allowing
roughly 18 quintillion spoofable/hijackable addresses
Even a single machine could easily send traffic that appears to
be from millions of legitimate-looking hosts

Figure 2: Spoofed traffic was successfully routed to an IPV6 host via an ISP
6 / [The State of the Internet] / Security (Q1 2015)

= local-link attacks

PLXsert performed several tests on popular cloud-provider

networks. For a provider that did not have Rogue Router
Advertisement (RRA) protection, researchers simulated an
effective DDoS attack:
Crafted RRA packets flooded testing machines with malformed routing
information
Requests directed the targeted machine to use the attacking server as
its first hop in the default route
The targeted machine was forced to stop communicating over its global
link interface, effectively DoSing end users

This technique was effective in networks where local-link

addresses are shared with neighbors and protections against
RRA are not in place

7 / [The State of the Internet] / Security (Q1 2015)

= security community considerations

Many of the security implications of IPV6 adoption are

undiscovered or unreported
End users and corporations are at risk when deploying IPV6
technology without proper training or awareness
Security community research has seen indications that
malicious actors are already testing and researching IPV6
attack methods
IPV6 will eventually be the principal addressing protocol on
the Internet, and the web security community must be ready

8 / [The State of the Internet] / Security (Q1 2015)

= Q1 2015 State of the Internet Security Report

Download the Q1 2015 State of the Internet Security Report

The Q1 2015 report covers:

Analysis of DDoS web application attack trends

Bandwidth (Gbps) and volume (Mpps) statistics
Year-over-year and quarter-by-quarter analysis
Attack frequency, size, types and sources
Security implications of the transition to IPv6
Mitigating the risk of website defacement and domain hijacking
DDoS techniques that maximize bandwidth, including booter/stresser
sites
Analysis of SQL injection attacks as a persistent and emerging threat

9 / [The State of the Internet] / Security (Q1 2015)

= about stateoftheinternet.com

StateoftheInternet.com, brought to you by Akamai,

serves as the home for content and information intended to
provide an informed view into online connectivity and
cybersecurity trends as well as related metrics, including
Internet connection speeds, broadband adoption, mobile
usage, outages, and cyber-attacks and threats.

Visitors to www.stateoftheinternet.com can find current and

archived versions of Akamais State of the Internet
(Connectivity and Security) reports, the companys data
visualizations, and other resources designed to put context
around the ever-changing Internet landscape.

10 / [The State of the Internet] / Security (Q1 2015)